security, programming, devops, visualization, the cloud

HoneyDrive

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

HoneyDrive 3 RELEASE NOTES:

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.

2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.

3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.

4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.

5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).

A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

FREQUENTLY ASKED QUESTIONS:

Why use HoneyDrive?HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.

What utilities and software are included in HoneyDrive?HoneyDrive contains all the major honeypot-related software and a ton more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).

Why isn’t [insert-name-here] included in HoneyDrive?Unfortunately I can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.

What is the password for [insert-name-here]?Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

SCREENSHOTS:

CHANGELOG:

HoneyDrive 3

Upgraded ALL existing honeypot software to the corresponding latest versions.

Hello Nexus, it’s quite simple really: you have to extract the files, create a new virtual machine and select the “HoneyBox.vmdk” file as its hard disk drive (ignore the other files but don’t delete them!). You can then start Kippo by executing the “start.sh” script residing inside the /home/honeybox/kippo dir.

1) No yet. So far only Kippo is installed. Dionaea and other honeypots will be included in future versions.

2) The format of the drive is VMDK which is used by virtual machines. I don’t fully recommended it but you can convert a virtual drive to a physical one. See this: https://www.vmware.com/support/v2p/index.html. Also, Debian and Ubuntu are both fine, but I tend to go with Ubuntu.

I finally got to download Honeydrive after the project had to change its name and i´d like to give you some feedback.

+ Honeydrive is ridiculously easy to set up
+ The builtin Kippo-Graph looks great and is easy to use
+ Its an excellent tool for gathering statistics and malware analysis
+ It will save hours and hours of my spare time reading trough logs (yep, that made the wife happy too :))
– The NIC would not start during, had to start it manually – not a big deal 🙂

Even tho I only started scratching the surface, it has already exceeded my expectations – 10/10!

I have some questions tho:

1 – Honeydrive is running on a Ubuntu Server 11.10, would you recommend to stay with this version or will it survive and update?

2 – Kippo has a pseudo file system, but there are two real directories as well – /etc and /proc. From your experience, would you add additional files/directories or leave it as it is?

3 – Do you know of any other ready-to-use python scripts that can be added to the kippo/kippo/commands directory or will i have to build them myself?

Thanks very much for the feedback, I appreciate it! It’s nice to hear that it works as it is supposed to 🙂

About your questions:
1) I use 11.10 because it just “works”. You can upgrade it if you like, yes.
2) You can either leave them as is, or you can add your own files. It’s entirely up to you. You can also modify the existing files to add more bogus info (these are called honeytokens), for example new accounts in the /etc/passwd file.
3) No sorry, I guess you will have to code any further commands.

Regards!

Black September on November 24, 2012 at 3:16 PM

Thanks for your reply Ion.

Yepp, i basically figured that much.

Already started using the createfs.py and editing the current python scripts to mirror a OpenBSD filesystem and environment.

I’ve been running honeydrive for a few hours now, and trowed a few attacks with medusa, and hydra and it does not pick up the automated attacks, however when I try by hands there are no problems, any ideas of what could have gone wrong or is it simple an undefined behaviour ?

it doesn’t include Dionaea or Honeyd as advertized in the “update” section of this page. As far as I can see, it only has Kippo. Am I overlooking something? Also, sourceforge says it has Dionaea and Honeyd… ???

Hello ziplock, as mentioned here: http://bruteforcelab.com/announcing-honeydrive.html, “NOTE: The description is not very accurate for the current state of HoneyDrive. Right now only Kippo SSH honeypot and its related tools are included, but all of the above will be present in future releases.”

Sorry about that, I guess. I will release a new HoneyDrive version based on Xubuntu (with GUI) including the missing tools plus some other honeypot/malware-related utilities.

Anyone have any luck getting this running on ESXi 5?
When I try to install the OVA via “Deploy OVF Template” I get an error regarding unsupported hardware (Virtualbox). When I extract the OVA into a VMDK, a custom VM creation does not even let me see or select the VMDK file.

Hello! I have imported and am successfully running HoneyDrive. However, I am having one problem with Dionaea and I was hoping you could suggest a solution. When I start the program, it is never able to bind port 80. I have put in the specific IP address of the HoneyDrive vm in the dionaea,conf instead of going with the default, but it is still unable to bind the port. No other ports are having this problem, only port 80. Do you have any suggestions on how I might fix this?

Thank you very much for your hard work putting this great VM together!

Hello Ken. Glad you found the solution.
Did it happen because of Apache was previously binding on that port? By the way, Dionaea mostly focuses on port 445 (SMB/CIFS), that’s the mechanism for capturing malware and the like. Ports 80 and 443 are mostly to log connections (if any).
Regards.

Hi! Yes, Apache was the problem. I got it sorted now. So far, I’m getting lots of connections on ports 80, 443, 1433 and 3306, but no SMB unfortunately. Hoping that will change. I have my firewall set to forward all port 445 requests from the Internet to my HoneyDrive, so hope it will eventually get something.

I went to grc.com from my HoneyDrive and used the Shields Up page to scan my ports and see what’s showing as available. It reports port 445 is “stealth”, meaning it is not reporting itself as being in existence to the scanner. Any idea why the scan might not be able to see 445? This may be why I’m not getting any binaries or 445 connections.

Sorry to keep posting, but thought I’d update a little. I ran an nmap scan from the host computer to the HoneyDrive vm and found that port 445 on the HoneyDrive is open. I have it open on my firewall too, so I’m starting to wonder if the port is being blocked by my ISP. The ISP told me they don’t block ports, but I’m starting to wonder.

I was about to suggest the same thing. My (Greek) ISP seemed to have been blocking port 445 as well on my home connection (I didn’t ask them about it though). The reality is, this might be a “good” move by them. I have set up Dionaea on a VPS and the amount of automated exploits by worms on 445 is just enormous! Microsoft themselves advocates filtering specific ports related to SMB/CIFS on public IP addresses. I guess this might be the case here. My advice would be to call your ISP support and speak with the technical office (not the first-line of staff) who will inform you correctly on this matter.

I think that must be the case. I made sure 445 was open here locally and then ran the online nmap scan against my public IP. It reported 445 among the ports being filtered. Many of my other ports are open, like 21, 22, 80, 443, so I’m still getting traffic, just not smb traffic. Having a vps would be nice, but can’t do that at the moment.

Since 445 seems to be filtered by my ISP, I decided to give Kippo a try. I haven’t received any “real” traffic on it yet, but I have tested it and am sure real traffic can get to it. Looking forward to giving Kippo a long run. Thanks again for HoneyDrive, it sure makes it easy to get started!
Ken

Nice job, I want to ask you is it possible to have and ovf compatible with Vmware Esxi 5. I have tried to imported and unfortunately I receive this error:
“Error: OVF Package is not supported by target:
– Line 265: Unsupported hardware family ‘virtualbox-2.2’.
Completed with errors”

I suppose it is because you have used VirtualBox and there may be a compatibility issue with Vmware.

Yeah, I guess this is not an efficient way and I should change the auto-start program list in the next version, or post your corrections just in case. Let me know of any other problems or comments in general!

Regards,
Ion.

Mezzomix on February 4, 2013 at 12:19 PM

/etc/resolv.conf should not be edited. i was wrong the post before.

i seems, that the inetsim.conf isn’t read by inetsim itself. only starting inetsim with sudo inetsim –bind-adress= works fine. but starting a dns query returns the default ip address 127.0.0.1 and not the one i wrote in the inetsim.conf file.

thats not a problem in your honeydrive, it is the same with a clean ubuntu 12.04 installation.

Mezzomix on February 4, 2013 at 12:30 PM

okay for uncommenting the statements in the inetsim.conf file i had to delte the #. i didn’t thought about it, because everything is written with #.
i am still learning^^ now everything is fine

Hi … I’m having some installation issues; maybe you can help ? When i try to import into VirtualBox, i get issues with the VMDK being corrupt. So, I tried extracting the OVF so i access to the files inside, but half-way through, I get a 7-zip error of “… vmdk:file is broken”

Have you seen either issue elsewhere, and what can I do to get past them. I am installing onto Windows 7

Importing the OVA into VirtualBox shouldn’t raise any problems. So I guess that the file might be truly corrupted after all, mostly due to a download error or something. Please try downloading it again and verify that the MD5 value is equal to: “f6aa9d7687eea635e79d42bc342a4563”. You can use a utility like this one: http://www.softoxi.com/md5–sha-1-checksum-utility.html to calculate the MD5.

hello,
honeydrive is very helpful,but the honeyD is giving me some problems,i wrote my own honeyd configuration file,,when i start the honeyd ,it responds,but when i check to see if the specified ports in the configuration file are opened using nmap,it shows they are closed,my log file shows logs of this scans,pls do any one have an idea of what is wrong.tried using the default configuration file on honeyd but that didnt work either

When I attempt to import the VM, I get a message that I must accept some agreement before I can import… a window comes up but no agreement text… just an agree and disagree button… so I hit agree… the window closes and opens back up… rinse and repeat… any ideas?

I cannot connect to HoneyDrive via ssh.. (putty)
I get message “Network error: Connection Timed Out”..
I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
(ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
Do you have any idea??

I cannot connect to HoneyDrive via ssh.. (putty)
I get message “Network error: Connection Timed Out”..
I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
(ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
Do you have any idea??

I cannot connect to HoneyDrive via ssh.. (putty)
I get message “Network error: Connection Timed Out”..
I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
(ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
Do you have any idea??

I cannot connect to HoneyDrive via ssh.. (putty)
I get message “Network error: Connection Timed Out”..
I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
(ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
Do you have any idea??

I cannot connect to HoneyDrive via ssh.. (putty)
I get message “Network error: Connection Timed Out”..
I have installed HoneyDrive on a vm on the cloud… https://okeanos.grnet.gr/home/
(ova file was transformed to a .raw file and then by this .raw file an image was created.. by which I created a vm…)
Do you have any idea??

Hello Mara, not sure why this happens, but in any case HoneyDrive was not designed to be uploaded to the cloud. Okeanos is great by the way 🙂 Regards.

Mara on June 11, 2013 at 8:12 AM

So, what would you suggest?
I need to have HoneyDrive running continuously… maybe use OpenVZ??
My thesis is about honeypots and I would like to include HoneyDrive results…
your work has been very helpful by the way, thank you!!! 🙂
…(I am waiting for Okeanos’ admin’s answer about why I can’t connect to HoneyDrive)…

Hm, I don’t know. I suggest you try again one more time before concluding it doesn’t work out of the box. Otherwise, you can always setup your own honeypots on the VPS. Is there a particular honeypot you need to test? (eg Kippo). Regards.

Mara on June 12, 2013 at 7:16 AM

No, no particular honeypot..
I have installed Kippo, Dionaea and Glastopf and played a little…
and HoneyDrive has a lot more so I think it is worth a try… (and my supervisor thinks the same) 😛

by the way, I think it might work on the cloud… 😉
I still have some connection issues but Okeanos’ helpdesk has been very helpful and immediate… 🙂
if it works, I will feedback…

That is nice! Let me know how it turns out because I want to try uploading it to Okeanos as well when i find some free time. By the way, you can directly contact me through the contact form on the menu with more info on your thesis. I have completed a similar thesis for my undergrad studies and also written two conference papers on the subject and I am always interested 🙂 Regards.

If your download keeps being aborted it’s a problem with SourceForge. The easiest solution is to select another mirror 🙂 I’ve just downloaded the OVA file a couple of hours ago with no problem. So it would work I guess.

FYI, these are the checksums of the OVA file (HoneyDrive 2.0):
MD5: f6aa9d7687eea635e79d42bc342a4563
SHA1: 4c8e04a1240c43cf553bafc1462aaa3dea6d275b

Hi i used the kippo it was brilliant thanks so much, but i was wondering about the honeyD.

I want to use honeyd but have no idea where to start like kippo.sh started kippo for me and logged all activity it was simple but honeyD on this is already set up and configured, so i am wondering how do i start honeyD? Which file starts it and where is it?

Hello Sahhid. Yeah, honeyd is not as easy as Kippo, but there are many guides online as it is one of the oldest and best low interaction honeypots around. Just Google for it and you will find some material.

Regards,
Ion

Sahhid Uddin on August 26, 2013 at 2:30 AM

Very well thank you very much for this awesomeness made my dissertation so much easier.

Hello. I think it’s working. It’s just that the attacker or whoever logged in the honeypot didn’t type any commands.Try it yourself, login using PuTTY/terminal, type some commands and then play it with playlog. But, the thing is, why bother with files? Just enable MySQL logging in the config file and then see the sessions in the database. Regards, Ion.

You will see a lot of “empty” tty logs. When a bruteforce attacks succeeds it will generate a log from when the password was entered. These logs are all of the same size, 622b if i recall correctly.

As for using playlog.py

When standing in /opt/kippo/utils, this is the command i use

$ python playlog.py -f -m 1 ../logs/tty/.log

You can see more options about the playlog.py script by executing

$ python playlog.log
Usage: playlog.py [-bfhi] [-m secs] [-w file]
-f keep trying to read the log until it’s closed
-m maximum delay in seconds, to avoid boredom or fast-forward
to the end. (default is 3.0)
-i show the input stream instead of output
-b show both input and output streams
-c colorify the output stream based on what streams are being received
-h display this help

Hope this helps you out, if not, let me know.

I appologise for any of this being incorrect, i dont have a honeypot in front of me right now.

I disabled the following services/applications running on boot: ntop, tor, apache2, ircd-hybrid. I think it’s better for the user to decide what he needs. I noticed that zeitgeist daemon is also included, is it needed somewhere or can possibly be removed???

I am running kippo (awesome bit of kit), I had a naughty guy try to connect to an FTP server but couldn’t get ftp to work, How do i enable the command so the bad guys can download from an ftp? any help wll be greatly appriciated

This is not easy, it has be done programatically by the developer of Kippo. Your only option right now is to enable some output for the “ftp” command, by adding a file in “txtcmds” folder. But that won’t help the attacker to actually connect or interact with an FTP server.

Hello everyone,
can HoneyDrive configured to save all the data to a central server (to work as a sensor). I have many points where i need to have for each one a honeypot and then i need to collect all the data to a main server for analysing.

If you´r looking to consolidate multiple sql databases (I.E. KippoGraph) i beleive you might be able to do this as well, but sadly i have no idea how you would go about to setup remote logging of this.

I’m trying to setup my home honeypot but i’m having problems with my honeyd installation. No matter what configuration and settings i try,when trying to start honeyd i get the same error :” aborting dhclient on interface eth0 after 12 tries” .
Has anybody encountered the same error?

I have kippo running fine but I can’t seem to get TinyHoneypot to work. When I run ./thpot I see the process running, but nothing new is listening when I nmap the box. I tried shutting down apache and nmapping again, but I don’t see port 80 open for IIS like I expected (since I have http configured to be IIS in the tinyhoneypot config). I see some articles online about setting up thpot but some of the directories are different from the Honeydrive version of thpot. I feel like I’m missing a step. Can someone help with instructions on how to start tinyhoneypot in Honeydrive specifically?

I´d like to have a littel beginners guide that says how to start. How to use honeydrive for productive purpose: e.g enable mail notification; what has to be observed manuelly; what services shell I ran?

Hi,
this depends on: a) what you are trying to accomplish, b) which specific honeypot software you will use. For example, there is no universal notification system, you’ll have to set up the existing notification system for each honeypot software (if any) to alert you.

I would start by using Kippo. You can find a number of articles about it in this blog. But it’s ready to be used. Just “./start.sh” and enjoy (details about it can be found in the text file accompanying HoneyDrive. Then you might want to move on to Dionaea.

Hello Ion, really silly newbie question here. I’m trying to run kippo for the first time on honeydrive 0.2. Running the script I get a ‘no such file or directory’ error. If I type sudo and then run the script opt/kippo/start.sh it returns an unhandled error. I’ve looked in the file system and the path seems to be right, as you might expect. I don’t really know my way around linux at all so this is probably a really stupid question but would you be able to tell me, by any chance, what I’m doing wrong here?

Hi RobW, yes, it could the case. Make sure you put the VM in a Host-only network or a Public network.

RobW on July 16, 2014 at 3:20 PM

Hi Ion, I just went back to this problem today and it seems all that was wrong was that I was trying to run with root privileges. Boy do I feel like a idiot right now. Anyway it seems to work at least. 🙂

Hi,
it could be the case, if you can run a VirtualBox headless version on the RaspberryPi on a lightweight host distro and then import the OVA. But I don’t know how efficiently this might work. You have to try and give us feedback! If you succeed I can also do a blog post with you about it 🙂

Another solution is to setup Kippo directly on the RaspberryPi, like for example: http://bob.k6rtm.net/kippo.html. For Dioanea you can use the “setupDionaea.sh” script from my Dionaea-Vagrant project (you can find the file on GitHub) to automate the setup.

Hi Jonathan,
very good question, I think I should even add the following to the FAQ:

Generally, not to the actual development. I develop HoneyDrive on my own machine, so it doesn’t exist in any remote environment where we can collaborate while building it. And there ins’t any schedule for releases so even if we enabled remote collaboration, a new release will probably take *some* time before getting planned.

But, here are all the ways you can help in general:

1. Actually, testing is of great importance. There are a lot of things going on on HoneyDrive. Installing over 30 tools from source and managing their dependancies (which could be conflicting some times) isn’t the best deal. So it’s great if there are testers that can check that all the tools are actually working as they should by trying them out in real scenarios (and learning a lot in the process!).

2. If you can code, then you can contribute to all the other projects around security visualization, etc or to the honeypots themselves. From my side, I am very open to this and have already accepted pull requests. If you know PHP and/or Python let me know. The code for all the projects is hosted on GitHub.

3. Ideas/feedback. Again, this sounds trivial but it’s not. The tools need to be kept current and also become enhanced. Again, I am very open to this and some things like for example the Kippo-IP and Kippo-Playlog components of Kippo-Graph were added by some people who decided to contribute! This is relevant to the point above as well, but even if you can’t code the suggestions and requirements drafting for these are equally important.

4. Information sharing. If you use it, share the results. Some of the honeypots have integrated a logging system called hpfeeds: http://heipei.github.io/2013/05/11/Using-hpfriends-the-social-data-sharing-platform/. You will find it in their configuration files with an option to enable it or not. Sharing data via hpfeeds helps the developers of the honeypot platforms and organizations like the Honeynet Project to gather much needed data about attacks. Even if you decide not to share via hpfeeds, you can help by letting us know what kind of stuff you capture, if you see any patterns, if from the logs you suspect that attackers found a new way to identify the honeypots etc.

5. Lastly, there is a small donation button on the right side for people that appreciate this work 🙂

I’m having problems in HoneyDrive v3. Apparently, something is up with the key exchange. When I try to connect to Kippo, nothing happens. Once I press ‘Enter’, it starts the key exchange. My log file shows tons of connections but 0 login attempts.

Hi Panix, thanks for your message. I’ve just tried it (VirtualBox VM with HoneyDrive 3 in bridged mode and SSH login from my OS X Mavericks) and it worked fine. My SSH client asked me to verify the fingerprint and then Kippo correctly asked me for passwords. From what kind of machine are you trying to login into Kippo?

It seems that you need to run `sudo touch /var/log/honeypot/honeyd.log && sudo chmod -R /var/log/honeypot` for it to work. Of course it’s better to run honeyd as a “service” using the /etc/init.d script. See my latest blog post for more info (posting it in seconds).

Regards,
Ion

Raina on August 9, 2014 at 3:08 PM

Hi,
I tried the same but nothing work out for me.I tried the instruction that you give in your new blog but it still gives the same error. Plz find the below screenshot.
Thanks and Regards
Raina

Would it be possible to distribute honeydrive via bittorrent instead or in addition to Sourceforge ? I have a fairly unstable rural broadband connection and while SF downloads usually break with even short interruptions, bittorrent is much mure resilient (and faster).

That would be possible, but then I’d have to pay for a seedbox or something just for this since the file is a big one and I doubt many seeders would be available at any given time. Unless of course someone “sponsors” his bandwidth specifically for this. Until then, SF provides a good service I think.

Regards,
Ion

mark_orion on August 14, 2014 at 2:14 PM

Hi Ion, I understand that problem – had it once myself and helped me with someone who “colocated” a Raspberry PI as seedbox in a datacentre. And its no more a problem as I pulled the file overnight with wget. Thanks for this great piece of work ! Mark

a) i want the honeydrive installed directly on my server instead of virtual machine. is there any tutorial about how to install it step by step?
b) i have many servers to install honeydrive. i want to realize the entralized management over all of them. how should i do? is there any application like DionaeaFR for Dionaea ?

a) HoneyDrive is distributed as an OVA file, so this is not possible. Although I have seen that AWS and Linode for example have some resources to transfer a VM to their infrastructure, I haven’t tried it. Perhaps you can try and let us know? That would be fantastic!

b) HoneyDrive is self-contained and self-managed, so no. But I am thinking of creating something to facilitate that in the future. You can “manage” the individual honeypots centrally though. For example, if you have 5 Kippo honeypots, just make all of them write to the same MySQL database so you can have an overall visibility. Also see this project as an alternative: http://threatstream.github.io/mhn/. Regarding the last question (DionaeaFR for Dionaea), it seems that you’ve made a mistake? Let me know again.

Regards,
Ion

Tomato- on August 25, 2014 at 4:07 AM

a) what i mean is that i want to know how you integrate all the modules you mentioned above ( Full LAMP stack, Kippo SSH honeypot, ELK stack, etc.) together to your VM work station, if you have notes during your development, then i could follow yours to install directly on my sever.

b) yeah, the last question (DionaeaFR for Dionaea) is my misunderstanding and i got it now. your answer will help me a lot .

Hi Tomato,
unfortunately I don’t have notes (I should have kept some but I got carried away). So I guess you can just follow the official guides of the software you want to use or the tutorials I have written in the past.

Great work, thanks. Works nicely on a VMware 5.5 ESXi cluster. Someone may find this Upstart script handy for Kippo, put this in /etc/init/kippo and it will start on boot:
————————8<————————
description "Simple Kippo upstart script for honeydrive3"

Hey! I have some PCAP files I want to process and analyse (determine what sites have been visited, how often, etc) – Would Honeydrive be able to do this with ease? If so, can you please walk me through it (I will donate some money if it works)!

Hi, guys can i to run honeyd low interaction honeypot for creating deceptiveness as xp, ubuntu and also can i run kippo honeypot simultaneously for tracking the hackers activities and getting them sql .can you please suggest which is the best honeyd or kippo, but honeyd can be deceptived as all kind of operating system but kippo as only ubuntu

why malware cannot download on dionaea.
i use ip local (10.1.0.60) not ip public on setting connection virtual honeydrive.
may i use ip public?
where i setting ip public? on virtual honeydrive or physical computer?
i use windows xp on physical computer.

I’m currently working on setting up a honeypot using honeyd through the honeydrive distro and have been unsuccessful in getting the correct fingerprints to be matched when running an nmap scan of the targeted IP. I configured honeyd to create a Microsoft Windows Server 2003 Standard Edition as the fingerprint but have been unable to get that as a result of the nmap scans. The results of the scan gives me “No exact OS matched for the host”. I was wondering if anyone had any insight on how to solve this issue.

i am trying to run the MALTRIEVE tool in honeydrive 3 but it couldn’t
run …….can anyone know about the how to install it run it properlly
i am giving a error text of regarding issue with maltrive plz help me

I recently re-installed honeydrive3 again and noticed this time around that
kippo seems to be constantly crashing.. anytime that a command is given that involves a “/”, it kills the connection. For exampled.. if the attacke changes directory to cd /etc. it crashes, or even cd /.. crashes.. anyone else have experience with this or know what is causing this?

Hi Steven, not really, you can use it as you would normally use an Ubuntu linux distro. Having said that, individual honeypot/other software inside HoneyDrive that you’d like to use might have different licenses (although I can’t think of any off the top of my head). Thanks.

That is strange, you should be able to login as user “honeydrive” with password “honeydrive”. Are you trying to login as root perhaps?

Archana on February 14, 2016 at 9:09 PM

hello, can you make a tutorial on honeyd (honeydrive)?

things to be covered
0) how to start (commands) – because honeyd -d -f filename.conf doesnt work
1)a simple config file and how to deploy it
2)how to deploy a honeypot
3)mimicking of a server
4)a small network simulation

Trying to get honeyd on honeydrive3 running to add to my active defenses. On startup using honeyd -d -f test.CONF -p /home/honeydrive/Downloads/hhac-code/nmap-os-db -i eth0 This is the current nmap-os-db, I get the same error with the one that came with honeydrive3.

Any clue how to fix it. A google search doesn’t reveal much either. I don’t know if it is the DB file or the conf file honeyd is using to lookup personalities in the DB. I am close but no cigar, and I cannot afford the store bought Nova project version.

I am new to this and taken this up as a DYI project :-).I have been able to set up and run honeydrive in my home PC, and start script for Kippo and Dionaea has executed successfully.I can connect to the internet through honeydrive.I have upgraded and updated all of Honeydrive applications and the OS itself. I have 2 questions:-

1) My home network works in 192.168…..(IPV4), but virtualbox,running honedrive, has taken up 10.0.2…(IPv4) as its own IP. If I want to set up DMZ which by default in my router(running DDWRT firmware) starts with 192.168…(IPV4).Should I add my physical PCs IP address or should I leave honeydrive running in virtualbox as it is, and it would do its job… as it runs kippo and other honeypots?

2) My Kippo web interface is opening(I havent seen a single entry. However, when I am using Dionaea’s – http://localhost/phpliteadmin/phpliteadmin.php, it is giving me- 403 forbidden error “You don’t have permission to access /phpliteadmin/phpliteadmin.php on this server.”How do I fix this to access this interface?

1) I think this is happening because of your VirtualBox settings. Go to the VM’s configuration and network interfaces and look around for an option to change the adapter from NAT to Bridged: https://www.virtualbox.org/manual/ch06.html#network_bridged. This will make the VM take an address in the 192.168.x.x space. Then in your router you can forward specific ports from your public IP to your VM’s IP, like SSH, SMB, etc.

2) Hm, can you maybe check the Apache logs to see what the error might be when you get a 403? It might be because the file doesn’t have the correct permissions (to be readable by the apache/www-data user). You should also try DionaeaFR (already included) as well, it’s like Kippo-Graph but for Dionaea.

Hey Ion, I really hope you are still active here, as I could really use your help!

Im currently trying to use the Honeydrive3 distro as a project for school here in sweden, and I have been spending days trying to understand and use Honeyd with my setup. Kippo, Dionaea seem to be working fine, but the Honeyd is being a real pain in the butt. Here is my setup.

Main Computer Ubuntu 16.04 (194.47.103.75) running Virtual Box

Honeydrive3 inside Virtual Box (194.47.103.60)

I have tried many many different tutorials on how to setup Honeyd, including yours! Each tutorial seems to be giving me different results.

Your tutorial results that the Honeyd Deamon is started and seems to be working, yet no logs, or pings reach the virtual honeypot. I even used the exact configurations, just different IP addresses!

Honestly Im quite lost after countless tutorials and opinions and I thought honeyd was a simple tool to start! Is there any way you could help me out? I dont know if you’re still active on this forum, but if you are I can post more configs and maybe solve this together! 🙂

Hi – I’d like to manually configure network connections for Honeydrive; however, the server does not allow me to do so. Looks like server policies allow only root user to change network settings and will not accept password for honeydrive account. Any ideas on how we can make manually assign a static IP address to Honeydrive?

I had a problem that I not able to login into Honeydrive. Originally it do not need to login and after I install honeycomb for honeyd and i restart it then I not able to login.
I tried password honeydrive it did not mention password is wrong when I click login then it go back to login page again.

Each honeypot is different, and it might or might not have alerting built in. Depending on the software you might have to build your own solution. For example, you might have to write some code to query the honeypot’s database periodically and get a report emailed to you. If you index events in Elasticsearch (e.g. using my fork of kippo with added ES support) then you could use something like ElastAlert, and so on.